Hacking with Bryan Seely. Exposing Big Tech Security Flaws.

Show Notes

Bryan Seely joins us is a refreshing and hilariously entertaining episode. Bryan is a world-famous cyber security expert, ethical hacker and former U.S. Marine. He is known for his book (Web of Lies) and for intercepting calls to the U.S. Secret Service & FBI, as well as finding major exploits at LinkedIn and several government 3-Letter agencies. 

Connect with Bryan: www.bryanseely.com

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 2:48: Brian's Background in Computers
• 5:52: Transitioning into Civilian Life and Cybersecurity
• 7:03: Importance of Frameworks in Cybersecurity
• 9:45: Psychology Behind Social Engineering
• 12:17: Hacking Google Maps
• 14:32: Personal Experiences and Their Impact
• 19:20: TMZ Interview and Racism on Google Maps
• 22:46: Wiretapping the Secret Service and FBI
• 26:01: Vulnerabilities in Google Maps and Response from Authorities
• 30:37: Vehicle Hacking and Infotainment Systems
• 32:41: The Problem of Fake Reviews on Platforms
• 42:42: Exploiting Emotions and Manipulating Victims
• 44:52: Best Practices for Cybersecurity and Fraud Prevention

Transcript

🚨 New Episode🚨 Bryan Seely, a world-famous cyber security expert, ethical hacker and former U.S. Marine joins us is a refreshing and hilariously entertaining episode. He is known for intercepting calls to the U.S. Secret Service & FBI, as well as finding major exploits at Google, LinkedIn and several government 3-Letter agencies. We discuss

 

Connect with Bryan: www.bryanseely.com

 

 

http://www.youtube.com/@cybercrimejunkiespodcast

Takeaways

 

Brian Seeley's interest in computers began as a result of his difficulty in socializing with others.

The amygdala hijack plays a significant role in social engineering, triggering an emotional response that overrides logical thinking.

Many people continue to fall for social engineering tactics because they are rushed, stressed, or not paying attention.

Mindfulness and self-care are essential in dealing with trauma and stress, allowing individuals to process their experiences and be present in the moment.

Google Maps has vulnerabilities that can be exploited, such as manipulating listings and redirecting calls, highlighting the need for improved security measures. Reporting vulnerabilities can be challenging, and skepticism from authorities is not uncommon.

Vehicle hacking is a real concern, and there is a need for ongoing research and security measures to prevent potential risks.

Fraudulent activities, such as creating fake companies and reviews, are prevalent and require constant vigilance.

Deepfakes pose a significant threat, and it is crucial to develop strategies to detect and combat them. Be cautious of communication channels outside of official platforms and be aware of scammers who push the urgency button.

Understand the risks and threats in various situations, such as hiking in bear country.

Use strong and unique passwords, and consider using a password manager.

Use VPNs to protect your online privacy and security.

Regularly check and remove personal information from the internet.

Always verify information independently before taking action.

Be aware of the dangers of deepfake technology and the potential for voice mimicry.

 

Sound Bites

 

"People are using it to expand their businesses into locations they don't actually have for mobile businesses, carpet cleaning, locksmiths, whatever."

"I switched Hillary Clinton and Donald Trump's campaign phone numbers or headquarters and screwed every... Oh, I almost... I was so close."

"Your modus operandi was for solving a problem and to identify, it's like a vulnerability test really."

"It was a demonstration of really good technical skills and really poor judgment."

"I put a snowboarding shop in the White House called Edward's Snow Den."

"There's no way you'd be tracked."

"Why do people not realize they're not going to communicate to you through freaking WhatsApp?"

"There should be a process that every employee goes through in the very beginning saying these are the threats that are out there."

"You're bear food. You're going out there to bring food to bears."

 

 

Summary

 

In this conversation, David Mauro interviews Brian Seely, a former US Marine and infamous hacker, about his background in cybersecurity and his experiences with hacking and social engineering. They discuss topics such as the vulnerability of Google Maps and the manipulation of search results, the psychology behind social engineering attacks, and the importance of cybersecurity awareness and training. Brian also shares personal stories, including his involvement in rescuing his stepdaughter from trafficking. Overall, the conversation highlights the need for stronger security measures and the impact of cybercrime on individuals and society. The conversation covers various topics related to cybersecurity, including car hacking, fraud, deepfakes, and best practices for personal security. The guest emphasizes the importance of being aware of potential threats and taking steps to protect oneself. He suggests using unique and strong passwords, using VPNs, and being cautious of phishing attempts. The guest also highlights the need for independent verification and not blindly trusting information received through unconventional channels. Overall, the conversation provides valuable insights into the world of cybersecurity and offers practical advice for staying safe online.

 

Chapters

 

00:00 Introduction and Overview

01:37 Brian's Background in Computers

04:31 Transitioning into Civilian Life and Cybersecurity

06:43 The Importance of Frameworks in Cybersecurity

08:33 The Psychology Behind Social Engineering

11:44 Hacking Google Maps and Demonstrating Vehicle Hacking

13:11 Personal Experiences and Their Impact

16:21 The Challenges of Public Speaking and Self-Reflection

17:18 TMZ Interview and Racism on Google Maps

20:37 Wiretapping the Secret Service and FBI

24:02 Vulnerabilities in Google Maps and Response from Authorities

28:33 Vehicle Hacking and Infotainment Systems

29:25 Conclusion and the Ongoing Battle in Cybersecurity

29:47 Challenges of Identifying and Programming Vehicles

30:52 The Problem of Fake Reviews on Platforms

31:16 The Dangers of Deepfakes

32:36 Exploiting Emotions and Manipulating Victims

39:32 Best Practices for Cybersecurity and Fraud Prevention

 

 

 

Dino Mauro (00:01.366)
you

Dino Mauro (00:13.174)
Join us as we go behind the scenes of today's most notorious cybercrime. Every time we get online, we enter their world. So we provide true storytelling to raise awareness, interviewing global leaders, making an impact and improving our world, translating cybersecurity into everyday language that's practical and easy to understand.

We appreciate you making this an award -winning podcast by downloading our episodes on Apple and Spotify and subscribing to our YouTube channel. This is cyber crime junkies and now the show.

Dino Mauro (01:03.054)
Well, welcome everybody to Cybercrime Junkies. I'm your host, David Mauro and I'm very honored today to be joined in the studio by none other than Brian Seely Brian is a keynote speaker, infamous hacker, author of Cyber Fraud, The Web of Lies, along with lot longer title. We'll get into that in just a second, Brian. No need, that book sucks. It's a good book, actually. In a former US Marine, he's the only hacker and speaker who has wiretapped

the US Secret Service and the FBI. And he's also been interviewed by Harvey Levin on TMZ, which we're going to get into as well. Brian, welcome to the studio, my friend. Thanks for having me, David. No, great to great to meet you. Great to have you on. So little background. When you grew when you were growing up, did you know you wanted to be involved in security? Did you know you wanted it even?

That's like saying using a debit card and having a pin number means I wanted to get into two factor authentication development. Like, I mean, it's, it's sort of qualifies you, but not really. I knew I was good at computers because I was terrible at talking to girls. Like whatever day in that was. Then we're all really good at computers apparently. I've always enjoyed being on the computer. like simulation games then. I lived in Japan.

for a lot of my childhood. Really? Why is that? you... parents brought overseas? My dad was an expat for a while, but what ended up happening after World War II was both of my grandparents became missionaries and raised their families collectively over there. So my mom was a family of five, my dad a family of six. And like, I'm talking like six kids in eight years. Like, serious baby boomer.

Yeah. Generation and all of them raised in Tokyo. So my father's 65, 67 or something like that. He lived in Japan almost 50 years. Wow. It's for lack of a better word home. Yeah. But coming over to the U S joining the Marine Corps. I I was okay on a computer, but I wasn't proficient. mean, I had done tech support since middle school. Okay. Because the community on Tokyo was like,

Dino Mauro (03:29.324)
I was being able to like set up a printer and install software. It was still, there was no YouTube, like tutorials. was no Wikipedia, So intuitively I understood it. And that was sort of like the base of operations for the foundation for learning this stuff. But I didn't even really learn most practical skills that I use every day until after the Marine Corps. Yeah. But it all gave you that sort of the base to operate from. When you, when you join the Marines and thank you for doing that, by the way.

That is a it's awesome. We're part of InfoGuard. We try and help out any way we can but we were not

Dino Mauro (04:12.622)
We haven't served. I'm always in all of people. Everyone's conserved in their own way. It doesn't make one service better than the other. And there's plenty of people who were in the military who get thanks for their service who don't deserve it. It's awful things while they were in the well in recore or other services. So thank you. It was my pleasure. But I know a lot of people that I look up to are firefighters or cops or absolutely. Yeah.

therapists or other people who've dedicated their lives to helping other people. And they've made a real impact on me. And that's, that has shaped my, I guess, worldview and sort of outlook generally in life. So how did you, so in the Marine Corps, did you join in like the cyber brigade or the cyber, or, did you just after, after the Marine Corps, you migrating and transitioning into civil or civilian life. That's where you.

I got into, I was a linguist in the Marine Corps. Okay. But after the Marines, I did sort of basic junior level tech to like a systems engineer level. So, yeah, a lot of windows consulting, some Mac, some desktop support, and that quickly turned into like specialty exchange.

Office 365 stuff and just sort of based from there, I got a bunch of certs and started realizing, okay, like this is something I understand. enjoy it. Now I do security consulting and NIST assessments and documentation upgrades and large scale architectural builds and working with like a major airline at this point or a department of energy laboratory to do.

Revision four to revision five, NIST assessment, documentation, gap analysis. Super boring if you aren't into it and if you maybe take the project with the wrong sort of approach, but realizing like how important some of these things are in getting the security controls documented properly to prevent anything from happening. Yeah, you need to have a framework. Yeah. I mean, we need to have a framework because there is no like

Dino Mauro (06:36.268)
state of being completely secure. And, know, unless you're all just unplugged and you're out in the woods, right. But other than that, like there is no real state of that. And so you need a framework and different industries have different variations of similar things, but you have to, you know, they're, they're all the main highlights and you have to do certain things too. I always look at it almost like a phase of maturity, right? Like as you

bolstered down and you improve on certain controls, then you become more secure and then your aim should be to evolve. what I've learned a little bit in like therapy or psychology was like, if you push people too fast to learn something, they'll go outside of that sort of optimal window for learning. Like the 10 % over your capability is generally like where you should be targeting things.

Anything after that, you're going to injure yourself if it's exercise. You're going to be frustrated, stressed out, and it's not going to be productive. If you do that to your users and you try to advance maturity too fast, they're going to revolt. They're going to leave. It's going to be frustrating. So you introduce things slowly, plan it out. You don't throw too many things at them at once and maybe treat it as if it's your responsibility to make sure that they're trained up on certain things rather than.

Well, you failed that pen test. The social engineering email test, you're fired. I might have had an opportunity to fish 30 CEOs as part of a summit and during my keynote presentation, handed them results of this secret pen test they didn't know they were part of. And 75 % of them failed. Abysmally. Right.

And they all laughed it off. But it was like the point was to deliver a message like you guys failed this with very little effort on my part. The other ones only did only didn't fail it because they weren't answering their phones. They were on the plane. They were on vacation. They didn't even read it. It just takes a few minutes and a couple of different click on the link. They didn't even read it. Open Facebook profile. you like the Red Wings. You just won season tickets. How lucky is that? Right. Wow.

Dino Mauro (08:56.33)
And like it just happened. We'd like to send the tickets. Where should we send them? Will you be at the summit? Is your wife attending? We send them to your home or should we bring them to you at the conference? no, no, no, no one's going to be home for two weeks. Unbelievable. Like, so yeah. So what you're talking about is that the pre -texting and social engineering and then the execution of it and

Why is it do you think, I just want to ask this right off the bat. Why is it do you think that so many people continue to fall for social engineering and they forget, like in hindsight, they can look back and say, why did I not recognize it? It's so obvious, right? Like, why did I not? theory that I don't think anyone's put together yet. And I'm by no means a psychology expert or anything else, but I want to hear it. I want to hear it.

Dino Mauro (10:19.896)
You're not doing them properly. You're not paying them the appropriate amount of attention that things should be because you're rushed because you have a lot of things on your plate. So if you are running through your life, but with the concept of inbox zero, this goal of having no notifications in your email inbox, it means when you get too many emails, either a you're not going to click on all of them.

or B, you're going to shortcut to get through all of them and you're going to triage quickly. Triaging emails quickly is a recipe for disaster. You will not get good results when you rush things. Yeah. What's your, what's your thought on the, I've interviewed some, some neuroscientists and what they've talked about is that McDill hijack, right? And how when they appeal, when they tap it, let's say they do take the time to read something and

It's that sense of urgency. This is going to happen. You've got to go in and verify something within 24 hours. Otherwise you're going to lose access to some system or something. Immediately those things work on tons of people. Really? It really works. And they talk about the amygdala. It triggers something emotionally where then you're in amygdala hijack that, that, that, that foundational reptile brain of

fighter flight, like there is a wooly mammoth in the village type mentality, right? And you, you, you can't remember your neocortex, your thinking brain, your more modern brain can't operate during that time. And you can't actually remember the logical training that you've received. so then you just watch, you could watch videos by Jocko, some of his content and what Navy SEALs would do in

terms of how they breathe to combat stress or how they breathe to prepare for stress and the length of box breathing or like there's all these different techniques to be able to get to sleep or how to wake up or how to prepare for something that's going to require your very utmost of focus, you know, like getting shot at. That's definitely a situation where an amygdala hide.

Dino Mauro (12:42.294)
Amygdala hijacking slash adrenaline rush would probably help. That's what it's there for. It's to combat an imminent threat that you need to be ramped up and ready for someone sending you a text message that you haven't verified. Shouldn't put you into fight or flight, but we've found ways to social engineer, AKA lie to people pretexting. It's just lying.

So instead of complicating it for people, need to figure out how to lie to you to you go, okay, here's my money. And, the thing that's going to allow you to get my money.

people will, there's been a, for example, there's one common one that on the border of Mexico, people will pretend that they're calling from Mexico, from a police station where someone was arrested for peeing on a church while he was drunk. Meanwhile, he's home playing Xbox, but they're calling grandparents who watch Fox News.

And they're looking for people who are going to buy into this story. the federalities are coming. You can bribe us, but you can't bribe them. And then he's going to prison and that'll be it. Send us a thousand dollars, Western union, no questions, no cops. And they do it. And you think that's so like it's off app there. It's okay, but you're not ready for the next level. One of my agents who represents me for speaking, I was talking to not even a few months ago.

Yeah. Deep fake.

Dino Mauro (14:32.088)
So, this woman is now permanently traumatized, who has heard her daughter being kidnapped, a simulation of it, but thought it was real. That's an amygdala hijacked if I ever heard one. And I can't even imagine going through that, except that I kind of can. My stepdaughter was trafficked seven years ago. You're kidding. Brian, you're kidding. My God.

It is one of the reasons I kind of didn't do a lot of public stuff for a while. Yeah. It took a long time to get out of. was a like whatever the action movie story narrative is. I'm a Marine. I'm a hacker. I rescued my kids six weeks later. Police did a raid on a house that I led them to and she's safe. However, you use your skills. Yes. To rescue her, which is phenomenal. And then immediately fell apart. Well, yeah, exactly. Because they don't show that in the films.

No, they don't show that in the movies. They just they end right at the reconciliation. And then he goes to like voice lessons with his daughter in a pop star's house. And he's he's got that sexy voice. Yeah. It's a place for movies. People want to think they're going to be a hero. You don't want to find yourself in that position. I don't know how to explain how devastating it is. No, but it's phenomenal that least it. I hate to like, you know.

This is the first time hearing of this. So yeah, no, totally at least it could have been worse. It could have been worse. you almost every scenario was worse. Yeah. So you did remarkable work. However, like the first time I talked about it really on stage was a couple of years ago for a keynote. I almost didn't do it. Yeah. The point, I guess the, the point of all of it was to make anyone who's ever gone through something like that. Cause it's not like we share any of that stuff.

publicly very often, it's the stuff we don't want to share. We share the, I'm going to Dubai. I'm flying this amazing first -class ticket thing, not, I'm going to therapy to make sure these nightmares go away. Cause I don't know how to make it. Cause I haven't slept in six weeks and I keep having the same nightmare recurring dreams. Yeah. But guess what? The friendships you make when you do share those kinds of things, you end up having people who will go to, you know, go through anything with you. Yeah.

Dino Mauro (17:00.214)
And you need to be able to slow down and process stuff that's happening in the moment. If you're not able to do that, you might be dealing with unresolved trauma. You might be dealing with things that are causing you to have to not be alone, be around people. For example, drinking or doing drugs or overeating or gambling. They are all external distractions that are preventing you from being good by yourself.

You don't have to be alone. Even if you're by yourself, you can be good. You can just, you can have a meal. can do some nice for yourself. But a lot of people don't do that myself included until I processed enough of this stuff going, wow. Okay. That that's starting to make sense. Well, and so many of us keep busy just to keep busy, right? It's just, we move on from one distraction to the next so that you don't have to sit in a room and have

still think that you're falling behind and everyone's kicking ass at life. You know, they've got books on your shelf and I haven't even finished my second book and the first one wasn't great. But it's also the best and worst book on the side. I have put your book on the shelf. No for the video. Don't do that. By the way, it's the worst book. It's not, you know what, on the subject, I refuse to listen to these episodes because I can't stand the sound of my voice.

But I'll listen to the guests speak. How many when I do the clips, I want to hear what you guys have to say. I just don't want to hear myself. This is the good stuff. How many episodes have you done now? Two hundred and thirty eight, I think. See, even at two hundred and thirty eight, you still haven't gotten used to it. No, I don't like it either. That's one of the worst tasks of having to go through. And like I have two hundred podcasts I want me to come on, not as like a brag. It's more like, and that means two hundred potential hours.

of having to listen to my own stupid voice. I don't want to hear that. I want to listen to other podcasts and, and, check out for a bit. Yeah, I know. I know, but it's, it's all about spreading awareness and it's about meeting like people that are, that have played an important, you know, role in the fabric of what we're all dealing with today. So let me ask you, let me segue a second for, so I saw your TMZ.

Dino Mauro (19:17.216)
Interview and for the I think if we post this on YouTube, I don't know if I'm allowed to post the TMZ I'm sure you're allowed to post part of it in terms of yeah just for us to to to talk about but the audio listeners will hear the whole interview and it was phenomenal by the way, so Walk me through this you get a call from TMZ and what is going on because this is the there's the Google algorithm that allows people

Like walk us through what was going on. Someone used a technique similar to what I did on Google Maps to make things that weren't there actually show up on Google Maps. Some of the pranks listings I did were like I changed the Library of Congress to the Zoolander School of kids who can't read good. That's awesome. I mean, on Google Maps, when you go there and you look up the Library of Congress address, it says the Zoolander School of it did for a little while. Yeah.

That's freaking brilliant. That's good. Yes, so many funny ones. can't have a sense of humor in life and see the great like art that is involved. you want to cut this next part market, but I made something on Bing Maps that's probably still there in the World Trade Center. There's an office of the lemon party. And it's got my cell phone number on it. And it's been there for like seven years. My god.

And I'm like, dude, this is unacceptable. But Bing Maps is just a nightmare. Yeah. So Google, my whole battle with them was like, Hey, this is a vulnerability. You guys aren't doing anything about it. Like, that's just spam. And so I demonstrated it a few times and then eventually just wiretap the Secret Service and the FBI without permission because naturally that's what was the next step, I guess. Yeah. How we know how did the one go from that to the other? That's the part I'm missing. So you have Google Maps, you're putting these like,

You know, on address for Marvel instead of the people are using it to expand their businesses into locations. They don't actually have exactly or mobile businesses, carpet cleaning, box, mess, whatever. says either scam people or beat their competition in one way, or form or for lead jet. There's a lot of scenarios. So it doesn't make it easy to pinpoint what someone's up to. However, that's going for money. What if we go for the other thing, information or power?

Dino Mauro (21:44.44)
Yeah.

and secret service in Washington DC and just creating duplicates of the originals, same website, different phone numbers, same address, and then flagging the originals as spam. They disappeared and mine became the default. Not super smart because they that's considered a crime. Wiretapping without permission. I wiretapping with there is no with permission.

and then it's, it's a five year penalty for one phone call. And I think I recorded 40. And the, and, you brought, but you didn't do that with the intent, mal intent. Like your modus operandi was for, for solving a problem, solving a problem and to identify it's, it's like a vulnerability test really. And, and, and you went and did it. It's like a bug bounty program almost.

You went and did it. brought it to their attention. Almost being the key word. There was no financial gain because of that. Only the potential for the potential of harm against you. It was a demonstration of really

Dino Mauro (23:28.856)
good technical skills and really poor judgment. it makes for a great night. Yeah, it sure does. They, they didn't arrest me luckily, but because there was no criminal intent. Like you went to the, you went to the FBI or the U S secret service office, right? And you had all of those recordings. And so you, and they didn't believe you at first. No, no, they thought I was a tinfoil hat crazy person. They actually said,

All right. Well, we'll get ahold of you if we have any, cause it could be fabricated. It could be a false flag. could be some sort of weird, like he's just trying to get in here and learn more about it using some pretext to get us to talk about the organization and learn about tactics, response times, knows espionage, right? Right. sure. It, got that vibe when they were sort of like, Hey, you can leave. We'll get ahold of you if we have any questions.

So I said, okay, I can just prove it. And if I can't prove it in five minutes or less, I'll buy your pizza is free. And the guy said, okay. And I said, take your phone out and call the office of the secret service in Washington DC, hoping that he would use like Washington DC secret service or flipped around. Pulls out a phone. I'm betting it was a Google phone at that point. And Google would have been his sort of default search. I was right.

He calls, he, yeah, this is agent so -and -so. He knows this guy on the other end. None of us, the two other agents and myself could not hear the conversation. He wasn't on speaker, but you could tell he knew the guy. They were familiar, small agency. He hangs up and then I got a notification on my phone saying you got a new call that would you like to listen to this for quality purposes for your new campaign? Like, yes, I would.

It would push play and then I turned it on speaker and then you could hear the phone ringing. The guy answered the phone and it was that cool guy voice like air traffic control. And then you hear both people talk and then he hangs up and then all of them were like, what do do now? And the one guy, all he said was, shit. And then they took all my stuff.

Dino Mauro (25:50.488)
Yeah, they just then and they like what put you in a room for a few hours. there's a guest suite. Not sweet. It's a tiny, tiny room with two or three chairs. And then everything else is bolted down. There's a handcuff bar. I'm assuming that's what that is. It doesn't seem to be like an assisted like railing for like a bathtub. It's more like there's no there's no shower in the room. So you're like, don't know what the rail is. No, no, no. It was a real it was a real bummer of a room.

Yeah. but I stayed in there for, I mean, they wanted to ask me a few questions for four hours until they finally called Google and yelled at them and told them to turn off, business registrations until they fixed. So that's where the vulnerability was is the public was able to manipulate the way the algorithm works, right. And the way they, okay. And then, and then, so Google turns this off and

Secret Service thinks this has gone away, but then a couple months later Google turned it back up. Well, I demonstrated it a year later in my Ted talk that I put a snowboarding shop in the White House called Edwards Snow Day.

It's still one of my favorite jokes. first I'm hearing of this. So this is great. So by the time this goes public, I'm going to have found this and I'm to put the tips up here. There's a lot of articles of people going, no one knows who did this. And some people are thinking it's this guy or this guy. And you're like, I did a Ted talk on it. Like, no, the Ted talk hadn't even come out. It was like, they found it within days of it happening. People will look on the maps for edits and for people defacing stuff. And.

They found it pretty fast, which is why Howard University for the TMZ story. Howard University is a traditionally African -American African -American black college. someone changed the entire name of it to N word universe. My God. You're kidding. That's why they, that's why it was titled. That's why TMZ, because the cohost is black. And also it doesn't even need to be black for other people to give a crap. Like that's not a really cool thing to have. Yeah. It's still on cool. It's got to stop. So.

Dino Mauro (28:06.848)
Okay. And then so they call the guy that is the master of this and you're like, yeah, this is, this is something that can happen. People can mean I'm, totally for free speech. And I just want to figure out how a computer could like, if it sees you typing that word in more than once in your lifetime, like it not get flagged. just shuts everything down and be like, you've been cut off. Sorry. You can't say that six times in, you know, Yahoo chat. Yeah. Well, and think about, like, I think about that and I'm like, cause I'm a huge

freedom, like free speech, you should be able to say it even though you're an idiot. You should still be able to have your opinion. just don't have to. that wasn't true, I wouldn't. Yeah, exactly. Like I just don't have to like be persuaded by your by your view. But the right to say it is perfectly fine. However, with an asterisk, like if you're typing in like a machine and you're looking up bomb making material for airplanes or you know what I mean? Like stuff like that.

Like how to get rid of a body where to buy. Yeah. Like how does that not get like, okay, if they flag that like, but then the problem is, is where's the line, right? Like where's the line? mean, obviously after somebody blows up a place, they'll always go grab the drive. It is always difficult to find in. Yeah. That's the whole thing. Because what if you're just researching it as a kid researching serial killers and researching how they do, you know,

illegal to know the content, but then to act on that content to like start gathering materials. Exactly. Okay. That shows some intent to learn or apply the skill. And then you go and buy them and you start making. How about purchases though? you know, if you're not a true crime, right? You always hear these people that bury somebody in the woods, they're always going to Walmart and they're always buying like the same kill kit. Like somebody's buying

lie and bleach and rubber gloves and in the in the same level in the same thing and they're not buying Twinkies and milk and other stuff. Like that's the only thing they're buying. Like how does that not get flagged? Probably. Yeah. you're using a debit or credit card. And then if you brought your phone with most crimes now are being solved with, Hey, you were in this proximity of a tower when this murder, they know everybody who had a cell phone that was near a murder scene.

Dino Mauro (30:33.568)
And they'll pick people up and you're like, have no idea. I was in my house the whole time with another. Well, which is, yeah. Which is why you can hear about these people getting away with some of the stuff in the seventies and the eighties, but they could never get away with it now. Right. Like there's no way you'd be tracked. The comedian John Mulaney had the best comedy bit about that. Like a hundred years ago, crime was just dumb. was like, Hey, look, there's a pool of the killer's blood. Yeah. Somebody mopped this up. Like that's it.

There's no DNA. have no, you could, all you had to do is walk away from the crime and no one saw you. You were scot -free. Yeah. And now it's very different. Yeah. Well, and thankfully, right? Yeah. So, okay. So that was the TMZ interview and then someone was racist. Yes. And, and, and how did they do that? You came on as the expert and you went on to, which was fascinating. I saw another interview where you were talking about the vehicle hackings.

This was about six years ago. mean, cause I remember when this first came out, mean, lots of people have demonstrated vehicle. It's almost the guy who hacked the plane from in the right on its face. It sounds dumb. is dumb. Don't do that on the thing. You're flying while you're flying. Right. Yeah, exactly. You could demonstrate it in a simulation or Jeep or something. And then

interview, he's like, all right, hack my car. Be like, maybe, maybe not. Maybe be in a parking lot. Exactly. Maybe anything, but on the highway with other, but they were able to do it safely and demonstrate it. And now there's car hacking villages, there lots of different security. Absolutely. Yeah. Defcon's had that car hacking and village for a while. They've had it at, the black hat conference God twice. not. Interesting.

Interesting. So is it, is it the infotainment systems that compromise? Tesla's get connected and download updates over download updates over the internet. It's like magic. It's yeah, bliss. It's cellular throwing or something. So there's a connection there that has an

Dino Mauro (32:55.766)
a hardware address and if you can start identifying these vehicles. think that's probably the hardest part initially is identifying which vehicle. Right. And being able to make some sort of connection finding that access point and then figuring out the programming to make it go like turn it into a joystick and make the card or if it even has that capability. Sometimes it's just take activate on star.

kill the engine, some limited capability, but most cars as we evolve, we're going to have access to lots more. Absolutely. So yeah, learning this stuff is good for people. People are going to try to their advantage.

Dino Mauro (33:43.616)
make every car crash, who knows, limitless that people have come up with, put it in the trees and that either people get ideas from or at least learn at it.

Dino Mauro (33:59.31)
So it's very. Tell us a little bit about your book. So you you talk about fraud and consumer fraud and these. Or maybe it was. Google Maps in the reviews and the whole business around building fake.

look at that.

However, if you do want to read it for free, can go to Krebs on security or type. It should come up with a PDF. Like if you want to donate money or something, great. Donate money to this. There you go. That's fantastic. So it's very simple. It's about the Google maps stuff. applies to Amazon products will have fake reviews and they're always combating this stuff. Amazon's usually pretty good about it. However,

No one really is, no one's really developed a really good system. And AI will be used to check reviews, but then AI will be used to write them and there'll be this back and forth web. Well, that's what we're seeing. Let's talk about that arms race briefly. So what is your take on deep fakes? Because those scare the dickens out of me because I have created an avatar of myself. I've been able to.

Like I did a couple of segments on this show where it wasn't even me. And like some people that know me well could see it, but a lot of people that know me pretty well could not. And that is really scary. The amount of time you were talking in that last sentence was enough generated a semi decent. Exactly. That's exactly right. They aren't good.

Dino Mauro (36:08.984)
So if you watch narration on YouTube videos and you start recognizing the same voice from these websites that people use, because they're not they're using products. It's kids, it's teenagers, it's people in third world countries figuring out. Yeah, it's the hey, gents of the world and stuff like that. And they're smart. They're using it. They're executing a very long term strategy and it seems to work, but they don't know how to say the I they say for B or A .I.

Exactly right. And it's so silly when you're, it's going fast. You're like, yeah, did he just say, know, and how they, Phoebe fights cybercrime? Really? Did they say that? It's somebody calling my friend who then calls me to network me into the con and saying, yeah. He said they, they, found fire. Yeah. Right. For one that's, that right to they're from Mike.

Mm -hmm. They don't.

Have you ever tried to get Microsoft on the phone? You're not getting them, let alone them calling you. If all your co yes, like it's not going to happen. But the day way was we are at Microsoft. You are from Redmond. Yes. Yes. Redmond, Washington, DC. No, that's not correct. Sorry. No. And my friend who's Rato was like, no, I mean, these guys are really, really sure. I'm like,

Of course they know. con artists is like sort of. Yes. You don't have a Mac, you don't have one. Right. They don't have access to your computers. They're lying. They're lying to you. Right. Your money. It's pretexting Brian. It's pretexting. There's Redmond Washington and then there's Washington DC. Those are on the opposite sides of the country. someone who's not from the United States would think. Okay. Right. That's how you know. That's how the acronym.

Dino Mauro (38:07.314)
I saw an AI generated image yesterday that someone from church for growing up, like the mother of one of my friends shared. it's this really attractive police dude, nice haircut, holding his son, raising his son alone, joined the church, joined the police force, trying his a he's a movie star looking good looking kid. There's no way either of them are police officer and child. are movie stars.

The flag on his uniform is missing. There you go. But the flag on his house has an extra one. And then there's like 200 stars in the. They're like, no one's. no. No one's there. They're exploiting the patriotic part of you and you didn't even notice the literal patriotic part. No. And then they think you're you're bashing them for being Christian when it's like, no, they're collecting information about you exploiting that.

Yeah, because they know it's something that you're doing about and it's the amygdala highlight hijack like talking about They're preying on something of yours. That's It's exactly it hits the emotional component. Yeah, yeah work

Dino Mauro (39:29.952)
Exactly right. So one of the stories that I heard, which was amazing, was the one where employee gets a phishing email, business email compromise. It's an email, right? And it says, Hey, need you to wire some funds or do something, right? And they're like, no, that's weird. I'm not doing it. They say, okay, well then they follow it up with like a calendar invite.

for a zoom meeting or teams meeting and they jump on the call. Yeah. And the person is there and there's like seven or eight people on that call, all of the names that are in their directory at the company. Right. And they met, might've met a couple of them remotely and some others they, they might not know, but the names line up. is a, yeah, that's happened in Hong Kong. Yeah.

$20 million or something was, yeah, it was like $25 million in a series of transactions that added up to $25 million. And they were able to add, ask questions and get their questions answered all in real time. If I set up the right, like I've got a laptop right now, but I also have an external card that does deep fake processing. can do time. Like right now I have seven different cams.

So I've got the one here. It's got a teleprompter. It's got a low light lens. It's full frame, but I also got a webcam somewhere. I've got virtual cameras that are designed to take software and pipe it into you see. So some of them like, you've got your David Marrow and here, that overlay or like a third or like branding logos. You've got, a lot of options for software to do that, but then the option will pro thing.

and show you who you think you're and then fix the voice and fix the mouth. And with enough processing in advance, you can make the thing say anything, especially with this narrow view. Exactly. And the only way to really combat it is to make them do... Yeah, make them move their hand by their face. Or have a business process that prevents that from happening in that way. You cannot do in...

Dino Mauro (41:51.224)
changes over the phone, over text, over email. Without independently verifying through a normal channel. Right? I mean, that's, and that's the thing that boggles my mind when I hear of some of these breaches, there was a breach of a very large company. I'm not going to name their name, but the person that got breached, they, kept paying their multifactor authentication. Right? this was less like lapsus. How do you that with? Yeah, it's, it's, it's, it's like,

Yeah, it's the, it's, it's the MFA fatigue. And then they, and they get on like the Slack channel or the team's channel and they're like, you know, Hey, we're, we're IT or no, they, actually got them on WhatsApp, which was not a company communication channel. And they're like, Hey, this is IT. We're just doing this. Could you please approve the multi the MFA approval because we're resetting something for security. And the person's like, yeah, that's fine. Boom.

Why do people not realize they're not going to communicate to you through freaking WhatsApp? they're not going to go like your internal IT or your security provider is not going to communicate to you off channel to get something done. what I mentioned with hurry? Yeah. People don't want to lose their jobs. People are being bombarded with information and new stuff. And so all of a sudden you take someone out of their element and do

and someone's messaging them on whatsapp and they're okay hold on they're not taking time to think because this person's pushing the

And there should be a process that every employee goes through in the very beginning saying these are the threats. Right. Exactly. you're a you got to know someone's to a truck, steal what truck kill you is steal the truck. Like maybe list them out, even if it is scary. You need to know if you go to hike in Alaska and you don't bring a spray.

Dino Mauro (44:01.388)
Right.

And you. Yeah, I love the bear analogy. We use the bear analogy often because I kind of yeah, because I think like you're a hiker in the woods, you know, it's a bad terrain and there's a bear you hear it, you see it, you need certain things, certain best practices to kind of see where the bear is, do a bear like throw out a bear trap.

have bear spray. You have to know what to do. Should the bear approach you? Are you supposed to get big? You're supposed to just cower. You're going to try and outrun that thing, right? Like all of those things. How many people think you could fight a bear and win it? The surveys that people have actually done it's. Yeah, I can beat a lion, a bear, be like, no, no. Right. Right. And you're not going to outrun it. You just have to outrun the other hiker with you. Like that's it. So they run 40 miles an hour.

Yeah, don't need the same bowl. Right. You just have to you just have to the other guy with you who's not in as good a shape. You just have to be able to outrun them. If they could get the bears like inner monologue, he's like, I'm going to get you. he's climbing a tree. I wonder. that's dumb. I wouldn't have done that. Like, guess who's going to exactly right here. One a medal. I've got a medal in it in grade school. They awarded it to me. I love a good high.

It's great. They're going to be frisky. Are they? Here we go. I'm on my way. Favorite tree. It's my favorite tree. was up there Thursday. Knowing what the risks are and rushing. Yes. Not rushing your employees, not forcing them to do more than is possible reasonably. Yeah, that's a point because I don't think when, you know, when people started an organization, they get the, all the standard boring security awareness training.

Dino Mauro (46:06.594)
Right. And, they don't get the training of like, these are the apps that we use. This is how we communicate. If somebody's reaching out to you outside of this for work related stuff, stop. don't, don't do romance scams. example, there are people pretending to soldiers stuck in field and they need you to send them money. they get home. That's we don't just send one guy. We don't do that. That's not how any of this works.

They have so much access to internet and other things. They're not, they don't need no, no, but so much money's lost because people want to believe in people are very charmed and say, they're calling from Redmond, Washington, DC. Correct. Old hometown of red. It's, there's a lot of things that need to get adjusted. And the more people know about this, I don't like just, Hey, it's fear.

fear you need to operate and live that way. mean, outlets that make a living that way. And that's fine. No, think it's more just being aware and just having like, if you can entertain people and get people to kind of enjoy the process of being aware of some of these outrageous stories, then it kind of can resonate, right? Like not make them feel guilty. No, it happens to really smart people.

Like some of the smartest people in the world are also very big idiots and make dumb choices. And like, if you're busy, you're like, Hey, yeah, fine. And he's, whoops. There goes the company. So don't take yourself too seriously. You're not as important as you think you are. Like you're researching cancer and then you totally are. And don't check your phone. Yes. And please don't buy. Yes, please don't. If you're actually doing something that matters in the world, need to be protected. Please. Yeah.

Don't don't don't approve the MFA if somebody contacts you on what's whether or not you like Joe Rogan. One of his bits is my favorite. He goes until I send you in the woods and you can put a camera in a smartphone and take a picture to me. Where are those people who know how to do that? I do that like we need to be protected people because we're all screwed if like we go back to the Stone Age. Yes. Yeah, that's exactly right.

Dino Mauro (48:32.11)
That's a good more people know about it. You'd be surprised how often people I know from 12 step meetings, parents have sent money to get couriers to bring them lottery winnings from countries they've never been to and let alone played the right, but they want to believe so badly. Well, and that's where and that's where the AI deep fake part really plays into the emotions too, because they can mimic somebody's voice and be like, this is

Is your daughter, right? Like, like, I need something and it sounds just like her. And if you hear that as a parent, right? You're just like, my God. But it's, that's at the moment when you have to go, hang on, let me try and reach out to her. Like, just let me double check. Right. You have to have that independent verification step in everything that you do. Fight or flight response on information that you can't easily verify. Just being able to go, all right.

If I'm going to panic, I can panic later. So just chill out. Like we'll put this on hold. Pause it. Yeah. Can I put a pin in the, put a pin in the absolute panic freak out stage and then do it. The idea that send or you post tons of video while bling. Yeah. I think we've done a good job, but please don't do that. Like listeners, like wait, you can just wait until you're home because

There are people, mean the OSINT, ability to, and when you take a picture, right? Don't take a picture with like your family members in back or let's shows your home and everything. Like they're able to determine all of that stuff, right? They're able to determine from the metadata, like where the picture was taken, when the picture. Web sites will strip out the metadata, but there are some people, I swear to God, even

know how much time it would take, but some of the geoant guys who, guess this location challenge will then in less than second go, Hmm, that looks like sub -Saccharin Africa soil. no, that garbage cans from Molly. All right, look, it's Molly. Let's pick this city and they go bang. And it's like, you're like, how many times have you done this? But they can recognize soil, that's exactly right. That's I had Michelle Khan on.

Dino Mauro (50:55.918)
And he was explaining, was just talking to Michelle like 15 minutes ago, because we both spoke at black hat. both are in a, he's one of my. Yes. Yeah. I've got his, it's not obvious, he is by far a better hacker. He's phenomenal. Like, do you know that his public address was like the address for Tony Stark in Marvel? And like, when you look him up.

Yeah, that's right. His, his home address. He's iron man in the ground of his studio. His, and he worked for one of the address of Marvel. Like that's his, when you go into those us people searches and stuff like that, where they'll be able to find all of our houses. Yeah. His address is like Tony Stark's house. Yeah. And the guy he worked with for a long time was an FBI, former FBI agent who's a privacy. He he's like, get off the grid, disappear completely.

put your car in a real estate trust, get a license flipper and like he doesn't have any photos of him on the internet and like, well, okay. Get, I honestly do get the, the reason for that level of, but it does make it easier to exist in the world when it's right. even if it's not an attractive face, like I, I've never been good looking. I've been fine with that. Like I didn't become a model. That's why I, that's why I'm not, that's why I've got a great face for radio.

And then you never have to worry about it because you're not trying to be that. And you can then go and people recognize you and you can get more gigs. If he's already got all the pedigree he needs and he's got all the work, that's fine.

second to things. Yeah. just along just great. Yep. That's great. Pinging stuff off of him be like, can you me figure this out? And like, yeah, it's just, well, he's one of those guys that does that. He'll, he'll like throw a picture up and, and what the threads are amazing because like you said, within minutes, somebody's like looking at the soil.

Dino Mauro (52:58.488)
They they're looking at the way the sun is beating down. They can tell you what time of day it was where you can go. Okay, north, south, east, west. This is northern hemisphere. I can phenomenal. I can tell you, usually if it within a few hundred miles on time, if I'm lucky, I'll get it within a mile or two because I can see a turnpike or like a street sign that looks like something I've recognized because I've just traveled a lot. But if you've never traveled, these guys have just been playing this for so long or they're

sitting around on the Google map street. Yeah. Right. But that reverse image, that level of usefulness.

and people use these challenges to find people and like, look for. Unbelievable. Well, my friend, I could talk to you for hours. So yeah, no, just phenomenal. So entertaining. One of the most interesting guests we've had, I gotta tell you, w w it's true. What, as we depart, as we wind down, like, what are some of the best practices? What are some of your top best practices that you want to tell people to do?

well, I tell my teenage daughter, don't date a DJ, I don't think that applies here. That's a good one. I believe I've told my daughter that as well. Try to make your passwords.

Dino Mauro (54:22.74)
use lyrics from like a favorite song, have a couple of modifiers, but don't be or keeping database records of all the passwords you've ever used, not just the one that was breached. They're figuring out how to assemble a dossier on you. Don't use all your stuff. That is the weakest. There's something I read a stat.

weeks ago, it something like 70 some percent of everybody reuses. They're like, I've got a great password. I use it on everything. I'm like, Tabasco or Red Hot. like, first thing you said was great that you have a great password. The second phrase is what kills you. Right? You cannot reuse it. If you can't figure out what a good password is going to be, try to make something that's funny or look up funny password ideas and then extrapolate, but don't copy. Cause like

right

You'll find out six months later that that was a Trojan horse and it was just collecting data on you and sending it to the developer. Exactly. Use VPNs when you can. One that I will advocate for is like, I was just about to say Proton. They're not a sponsor. use Proton VPN all the time. You can have it on your phone. can have it there. Email. Yeah. Proton email is great. The only ones I know that their keys weren't leaked.

meaning that traffic can get inspected and people could see what you're actually doing. Or they don't blogs or sell you out with the subpoena as other things. Go and look at your stuff on the internet as if you were trying to sell. Look at your address, name, find yourself in white pages. You can go to a variety. I think I'd even

Dino Mauro (56:41.006)
Yeah, I've got it. Operation privacy. Operation privacy .com is fantastic. To be able to get yourself off the internet legally, removing yourself from from Google. And Michelle makes this available for free. He doesn't do it The idea being some people want to pay for the service, some for free. Go and spend the time and because

your literally it's your kids and family that are sort of there. And I don't say that like lightly. It's just, it's absolutely true. And I always tell everybody to freeze their credit, freeze your credit, freeze your freeze your child's credit. Like people forget to freeze their kids credit. It takes less time to unfreeze your credit than defrost meal that you had in the freezer. So it's,

That's phenomenal. Great advice. Great discussion. I would love to have you on again, man. If you ever run out. Dude, would love, I say we take one of the breaches that happens and just go to town on it and just talk, talk it through. There's so many. Yeah, there's so many, there's so many good life lessons that could be learned in a breach. And when I look at them, I don't try and blame the security team.

Because they could always happen. But the point is is there's usually a good life lesson in there that we can all learn Even strike thing that happened recently the way crowd strike handled it was amazing Yes, there's other responses that aren't so amazing when a company will like how How much a breach was actually affecting their data? well some of our data was compromised, but no one got access to okay. They got access thing. Yes

You always find out it's like six weeks after the SEC filing, right? Like they're like, yeah, it really wasn't that big of a deal. Investors, don't you worry. And then like six weeks later, conclusion that every two is the people who do penetration tests on their own companies, because some of them are required to the people who actively look for vulnerabilities of the people. Or be like that. If you're going therapy, it's to resolve things that are problematic in your life that are no longer serving you.

Dino Mauro (59:05.814)
Maybe you've got anger issues, maybe you've got a If I see someone too much, usually it means, there's something wrong in their life. That's not the problem.

Dino Mauro (59:20.576)
You go to therapy, you find the problems, you deal with them, you move on to the next thing. It's not a race, but the faster you get through them, the better.

Yep. Yep. That is fantastic. Thanks so much, Brian. I had a fantastic talk, man. That was absolutely great. We will definitely talk again. It's the only way I'll get included in a conversation with Chris Boss or some awesome guests. You will I would love to have you guys all on we should have you and Michelle on and I'll find I'll throw up some images. We'll throw up some images and we'll just see what we can

figure out actually, it's really not fair having him on you and I can do it. Cause you're really good at it. I'll throw up some images and compared to Mishaal That's fantastic. I'm funnier. Yes. We'll say you're much more entertaining. It's great. No, no offense, Michelle. Like Michelle's fantastic. I mean, I'd rather have his skillsets than be fun. Yes. He's pretty amazing, man. He worked for, it was a Brazzel, right?

Thomas Brazel, Michael, Mike, Mike, Brazelle And he's like the fixer in Hollywood who will go and like when someone, a celebrity buys a home, they're able to like keep it off the grid. And because, you know, celebrities still get on social media. You can tell like an LLC, right. And all their information was scrubbed from, you know, the time that anyone's ever heard of them or they had credit and like you go back. then every so often someone, the wife,

Or they forget like the nephew or like, or it comes out in litigation later or something. And then it, and then it gets disclosed. Right. There are billionaires on the, that would be on the Forbes list who pay to be off of. Yes. So if anyone ever thinks like I gotta be a billionaire and I want to be on the Forbes list, what are they? yeah. They don't want their kids kidnapped and held for ransom. They don't want to be in the pub. They don't want to draw the.

Dino Mauro (01:01:26.552)
draw the life they have enough things that they're happy about in life. They don't need to draw that life. Yes, that's exactly right. Very cool. All right, man. Thank you so much. Great episode. I will talk to you soon. I promise. Thanks, buddy. All right, talk to you. Bye.

you

Dino Mauro (01:01:51.31)
Join us as we go behind the scenes of today's most notorious cybercrime. Every time we get online, we enter their world. So we provide true storytelling to raise awareness, interviewing global leaders, making an impact and improving our world, translating cybersecurity into everyday language that's practical and easy to understand. We appreciate you making this an award winning podcast by downloading our episodes on

Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and now the show.